EAP-TLS Attributes

Phil Mayers p.mayers at imperial.ac.uk
Wed Nov 16 23:24:33 CET 2011

On 11/16/2011 09:53 PM, Houston-III, Lester L wrote:

> What I want to do now is have the StrongSwan VPN client inject some
> custom data into the EAP message so that data can be propagated through
> to JRADIUS for use in the post authorization method. Maybe something
> like creating my own attribute or something. Is this possible? If so,
> how can I do this? If not, is there a way to modify an existing
> FreeRADIUS attribute that can be modified by the StrongSwan VPN client?

Ok - you want to communicate data from the StrongSwan VPN client, to 

Basically this is really, really hard. You will need to extend an EAP 
mechanism to send some arbitrary payload, or make use of an existing EAP 
mechanism that can carry such data. It will require source code changes 
on both the StrongSwan client, and the FreeRADIUS server.

You can't "use a radius attribute" - the StrongSwan client doesn't speak 
radius. It speaks EAP over IKE/IKEv2 to an IPSec peer, and the IPSec 
peer transports the EAP over radius. Any data will therefore need to 
travel inside the EAP mechanism.

What data do you want to communicate from client to server? Instead of 
saying how you want to do something, state what you want to do.

More information about the Freeradius-Users mailing list